Cyberoam has responded to warnings that its security device open up traffic to inspection by third-parties.
Researchers affiliated to the anonymity-protecting Tor Project discovered that the skeleton key digital certificate on Cyberoam devices that permitted the inspection of SSL traffic was the same on every device.
"It is …

COMMENTS

This doesn't look like news. We use something similar on our network routing our data through a SaaS cloud which does our URL filtering and virus scanning, and I've installed suitable certificates on the network to make sure all HTTPS as well as HTTP traffic gets scanned, because a virus can just as easily come in through HTTPS. Am I missing something? Unless they're just talking about the fact they're hardware devices with shared certs... suppose a company could issue one cert across multiple devices for their kit, but it still seems to be being blown out of all proportion...

Hmm...

I'd find them a lot easier to take seriously if they didn't immediately stomp in with phrases like "victim of the device". It's emotive and doesn't serve well in a security discussion. There are plenty of legitimate reasons for the use of these devices alongside the illegitimate and painting all users of the devices as people who oppress others isn't helpful.

Well Duh! Twice!

Well, duh! Twice!

Well Duh! twice - first, if TOR didn't realise that's how those things work [1], then they ought to have. Actually I'm pretty sure I have heard people from TOR mention it, several times, so maybe they just forgot.

Well Duh! again though, to Cyberoam, for reusing the same key. That is actually a pretty major security hole.

It can be fixed fairly easily, but maybe only by changing out the boxes. The in-use private key [2] should be internally generated, changed at intervals, and never leave the box..

[1] Cyberoam MITM ssl sessions in order to detect viruses. Cyberoam boxes are usually connected between the wild wild web and the office subnet. That's about the only way virus detection can be done on a subnet basis and still allow ssl connections, and it's how everybody else does it too.

To do the MITM they need to use a Certificate which is generated in the name of whoever the user is connecting to, so the user's browser thinks it's actually a genuine certificate from the website the user is connecting to. In order for the certificates to be accepted the user (or the office BOFH) has to set their browser to accept certificates issued by Cyberoam.

[2] which need not be the same key as the CA key; there are advantages to having the certificate key the same , eg it makes it easier to install Cyberoam as as CA or trusted Certificate Authority, necessary for it's proper operation. The CA key should then be used to sign the in-use key in the faked certificates.

Re: Well Duh! Twice!

Well DUH! again, but this time it's on me.

I suggested that a variable in-use key should be used, but that the CA key could be kept the same for different users. And of course that doesn't close the hole, the CA key should be unique to each office/subnet.

Suppose executive Bob sets his browser to accept keys signed by Cyberoam CA key "office". He then takes his laptop to a different place, where a bad guy has set up a Cyberoam box he bought on eBay to intercept traffic. Bob's browser will accept certs signed by the bad guy's bought-on-eBay box.

Getting from there to plaintext traffic may be easy or hard, depending, but it would at a minimum allow eg keyword detection. It's a definite hole.

Of course a shared key is also a hole for the usual reasons as well, eg someone at Cyberoam knows it, and it may be lost, demanded, sold - only people you trust can betray you, and there is no need to trust Cyberoam with the key.

Also "secure hardware" has been broken into before now, someone might spend 100 million to be able to break into a box he bought on ebay - and then he gets the key to all the kingdoms, whereas if a unique key is used for each office he gets bupkis.

Re: Well Duh! Twice!

Surely a better way to do this would be to have every Cyberoam box issue a new certificate request, which YOUR OWN enterprise CA authorises, and which the box can then use to issue it's own certs? So the box becomes an intermediate issuing CA within your existing infrastructure. Then all your clients (that trust the enterprise CA at least) will happily accept the new certs?

Standard stuff

In a corporate environment, using a transparent SSL proxy and pre-installing the relevant certificate in desktop installations is not uncommon. The decision as to whether to use such a technique needs to balance the need to protect the corporate systems and networks versus the risks and legal implications of any potential exposure of users' SSL connections to IT personnel. In my previous contract, it was considered that the risk to the network (mitigated by end point protection) was less important than the risk of some of us potentially having visibility of the directors' personal bank accounts and share dealings :-)

Re: Standard stuff

It's not what it's for, it's what it does that is important. In an enterprise environment do you notify and make sure employees understand that you un-encrypt their banking sessions if they do online banking from a work PC?

Do you expect a US CA would say no to a US Govt agency when they said give us a cert for *.* or any one of the other countries agencies that have root certs embedded in most browsers?

You may as well admit

And isn't it awfully damned odd that a mask in the (quasi) likeness of Guy Fawkes -- a staunch royalist who died under torture for the principle -- has become the symbol of the progressive rabble, whose only use for kings is to slake the thirst of a guillotine? Honestly, what won't you damned levellers co-opt?

Idiot at back of class puts his hand up with a Q

For I obviously don't know what I'm talking about and don't really get this

Hang on guys. Let me get this straight. Are we saying that all a network needs is a piece of soft/hardware on it's network and all SSL, VPN browsing is pointless? What is it, some kind of skeleton key that can read any and all forms of SSL/Secure browsing. This irrespective of either the algorithm being used, nor the bit length of the key!

Is this what May has in mind. So all the protestations of people that it will only catch the stupid and the innocent is spurious.

What does it actually do, pretends to be a valid cert for any https, intercepting or overwriting the real one, thus letting you log in to your banking and then, as spyware sit there allowing real time, live streamed DPI?

So me at home on BTSKYGIN. I'm on their network, as per your analogies of a work intranet/subnet/ They install this or similar and it's game over isn't it,. Stream is on to GCHQ. Fait accompli. Private browsing is a complete myth.

Re: Idiot at back of class puts his hand up with a Q

It's a deliberate SSL "man in the middle" for corporate environments. Your office desktop SSL connects asks for the certificate for "mybank.com" and actually get the one generated by the box which is part of your corporate IT perimeter defense. This allows "the box" to decrypt the packets to perform DPI, and then it re-encrypts them with the real certificate on the way out of the door.

The issue is seems is that that automatic certificates which are generated on your box are signed with the same key as every other box, so someone else with "a box" can generate a fake certificate for "mybank.com" and any other user of "a box" who has accepted the root certificate to get their "a box" to work, will also accept the fake from the hacked "mybank.com".

And If I got that wrong will someone please explain =). El Reg - you need more diagrams in this kind of story, words just make this too hard to visualize!

Idiot at back of class, raises hand with a Q

For I obviously don't know what I'm talking about and don't really get this

Hang on guys. Let me get this straight. Are we saying that all a network needs is a piece of soft/hardware on it's network and all SSL, VPN browsing is pointless? What is it, some kind of skeleton key that can read any and all forms of SSL/Secure browsing. This irrespective of either the algorithm being used, nor the bit length of the key!

Is this what May has in mind. So all the protestations of people that it will only catch the stupid and the innocent is spurious.

What does it actually do, pretends to be a valid cert for any https, intercepting or overwriting the real one, thus letting you log in to your banking and then, as spyware sit there allowing real time, live streamed DPI?

So me at home on BTSKYGIN. I'm on their network, as per your analogies of a work intranet/subnet/ They install this or similar and it's game over isn't it,. Stream is on to GCHQ. Fait accompli. Private browsing is a complete myth.

Re: Idiot at back of class, raises hand with a Q

"In order for this type of appliance to work, the user's browser has to be configured up to accept the appliance as a root certificate authority."

And that's exactly the problem with Cyberoam using the same key on every appliance. Once you trust one Cyberoam appliance (e.g. your employer's) you trust them all (including for example one run by GCHQ).

Re: Idiot at back of class, raises hand with a Q

"You can't just put this box on a network and steal everyone's traffic. You have to convince them the box is trustworthy (or hack their browser) as well."

No, you just roll out the certificate update as part of the standard corporate software updates .... that works fine unless you have a few "rebel" users who aren't using the "corporate standards" and are running firefox (or even worse linux) and as a result get the "this connection is not trusted" warnings and realise what is happening. N.b. as this is in a corporate environment you've already signed up to a "the network connection is provided for business use and all traffic may be monitored" agreement.

Re: Permitted inspection of SSL traffic?

> How does this Cyberoam device get to read the trafffic?

If you tell your browser to trust it (because its your own device) you end up accidentally allowing all other cyberoam devices in the world to decrypt your traffic. Anyone else would need to be in the middle to get your traffic. A corrupt ISP minion might be enough.

Re: Permitted inspection of SSL traffic?

LOL@ Corrupt ISP. It's the law. Traffic is intercepted then copied/ routed through government HW in a rack in one of the ISP datacentres for analysis before forwarding. Not without a court order, however. But it is real, and it is now.

Re: Permitted inspection of SSL traffic?

It works like this.

When you think you've conected to https://mybank.com, you have actaully conected to the proxy device. It then creates a separate SSL connection to your bank. Therefore you share a session key with the proxy and it shares a completely different session key with your bank. For this to work your browser has to trust the proxy and this is where the certificate checking comes into play.

Re: Permitted inspection of SSL traffic?

I do not know whether a Cyberoam-type box could be used to let a bad guy read plaintext ssl traffic, or if so how easy it would be to do, even if the user's browser was set to accept Cyberoam-signed certificates and the box was operated by a bad guy who had access to the wires. It should not be possible, but ..

Just having Cyberoam-signed certificates accepted is not enough to be able to read plaintext - in order to do that the bad guy needs to know the secret key to the public key in the certificates, and the secret key is held "securely" in the box.

Without the secret key, even if a certificate is accepted, an authenticated ssl session cannot be set up - it is used to prove that whoever the user is talking to is the server on the certificate, as it knows the secret key to the public key in the certificate.

The box itself can read ssl traffic plaintext, but the plaintext content should stay in the box and be protected by the "secure hardware" which also protects the certificate key.

I do not know whether this is actually the case, never having seen inside a Cyberoam box - I rather suspect that some diligent digging inside the box might give access to plaintext traffic, but that it would not be straightforward. That's just a guess though.

However the box could be set to eg detect codewords and reject comms containing them, and I'd expect it would also alert the box's operator, so reusing CA keys is a definite hole.

Re: Permitted inspection of SSL traffic?

You are on a network with one of these Cyberoam devices setup so all your browsing is directed through it.

You go to https://www.yourbank.com.

Normally your browser requests the certificate from the banks site and it's given to you to setup the session between you all the way through to the bank's website.

But with one of these types of devices in line something else happens.

The Cyberoam device contacts your bank and gets the banks certificate so that it can setup a session between itself and the bank.

It then issues you with it's own certificate it has generated for the bank, to setup the session between you and the Cyberoam device.

So you have an encrypted session between you and the device using the Cyberoam issued cert, the data is then available as decrypted on the Cyberoam device, before it then re-encrypts it with the bank issued cert to create the encrypted session between the box and the bank.

Weapons Free Gentlemen?

Interception of communications

The device is acting as a man in the middle and intercepting ssl/tls communications. The end user may have agreed to this as part of their conditions of work, but the remote party (tor) will not have done.

This means that the device may be operating illegally under uk interception of commication legislation.

Re: Interception of communications

It is interception (as defined in law - the legal definition bears little resemblance to the everyday meaning) as both parties have not agreed to it, but it isn't illegal under uk interception of communications legislation. It's a bit like scanning emails for viruses - in fact it's almost identical to scanning emails for viruses.

The relevant law is subsection 3(3) of RIPA:

"Conduct consisting in the interception of a communication is authorised by this section if—

(a) it is conduct by or on behalf of a person who provides a postal service or a telecommunications service; and

(b) it takes place for purposes connected with the provision or operation of that service [...]"

The cyberoam box is operated by the office 'net, who are providers of a communications service (as defined), so a) is complied with.

The purpose of the interception is to protect the office network from viruses etc, and the office 'net might not operate if the protection was not in place, so b) is also complied with, and the interception is authorised and therefore lawful.